CVE-2022-25194
📋 TL;DR
This CSRF vulnerability in Jenkins autonomiq Plugin allows attackers to trick authenticated users into unknowingly connecting Jenkins to attacker-controlled servers with attacker-specified credentials. This affects all Jenkins instances running autonomiq Plugin version 1.15 or earlier. The vulnerability enables attackers to potentially intercept sensitive data or manipulate Jenkins operations.
💻 Affected Systems
- Jenkins autonomiq Plugin
📦 What is this software?
Autonomiq by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect Jenkins to malicious servers, intercepting sensitive build data, credentials, and artifacts, potentially leading to data theft, supply chain compromise, or unauthorized code execution.
Likely Case
Attackers could redirect Jenkins to capture sensitive information from builds or manipulate build processes to inject malicious code into software artifacts.
If Mitigated
With proper CSRF protections and network segmentation, impact is limited to potential data exposure from the autonomiq plugin's specific functionality.
🎯 Exploit Status
Exploitation requires tricking an authenticated Jenkins user with appropriate permissions to visit a malicious webpage while logged into Jenkins.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16
Vendor Advisory: https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2545
Restart Required: Yes
Instructions:
1. Update Jenkins autonomiq Plugin to version 1.16 or later via Jenkins Plugin Manager. 2. Restart Jenkins after plugin update. 3. Verify plugin version in Manage Jenkins > Manage Plugins > Installed tab.
🔧 Temporary Workarounds
Disable autonomiq Plugin
allTemporarily disable the vulnerable plugin if immediate patching is not possible.
Navigate to Manage Jenkins > Manage Plugins > Installed tab, find autonomiq Plugin, click Disable
Enable CSRF Protection
allEnsure Jenkins global CSRF protection is enabled (though plugin-specific vulnerability may still exist).
Navigate to Manage Jenkins > Configure Global Security, ensure 'Prevent Cross Site Request Forgery exploits' is checked
🧯 If You Can't Patch
- Implement strict network controls to limit Jenkins server outbound connections to only trusted destinations.
- Use browser extensions or configurations that block third-party cookies and implement additional CSRF token validation.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins Plugin Manager for autonomiq Plugin version. If version is 1.15 or earlier, the system is vulnerable.Check Version:
curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"autonomiq":{"version":"[^"]*"'Verify Fix Applied:
Verify autonomiq Plugin version is 1.16 or later in Manage Jenkins > Manage Plugins > Installed tab.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound connections from Jenkins to unfamiliar servers
- Changes to autonomiq plugin configuration without corresponding admin activity
Network Indicators:
- Jenkins server making unexpected outbound HTTP/HTTPS connections to unknown IPs/domains
- Traffic patterns suggesting data exfiltration through autonomiq plugin
SIEM Query:
source="jenkins.log" AND ("autonomiq" AND ("configuration changed" OR "connection established"))